Difference between revisions of "Nintendo Switch (Homebrew)"
| Line 55: | Line 55: | ||
This is an unpatchable, tethered bootROM exploit, which takes advantage of the Switch console's boot and power management chip (BPMP), and is leveraged by copying a payload into executable portion of memory (jokingly referred to as a memecpy by members involved in its development). | This is an unpatchable, tethered bootROM exploit, which takes advantage of the Switch console's boot and power management chip (BPMP), and is leveraged by copying a payload into executable portion of memory (jokingly referred to as a memecpy by members involved in its development). | ||
Approximately thirty to forty million consoles are vulnerable to this. These consoles will become a rarity as time passes on. | |||
This exploit requires physical access to the console's USB-C port, injecting a custom payload after entering a compromised recovery mode (RCM). RCM is a factory mode intended for maintenance and repair of damaged consoles, or initial factory setup of devices. Fusee gelee effectively bypasses verification for signed payloads and allows an attacker to bypass every single technological protection measure present on the console at boottime with minimal external hardware. | This exploit requires physical access to the console's USB-C port, injecting a custom payload after entering a compromised recovery mode (RCM). RCM is a factory mode intended for maintenance and repair of damaged consoles, or initial factory setup of devices. Fusee gelee effectively bypasses verification for signed payloads and allows an attacker to bypass every single technological protection measure present on the console at boottime with minimal external hardware. | ||
| Line 69: | Line 69: | ||
===== General ===== | ===== General ===== | ||
The console's current version of its operating system does not seem to contain noteworthy bugs that can lead to homebrew or custom firmware. Previous versions of Horizon were vulnerable to a limited number of flaws, none of which enabled TrustZone access purely due to security issues from Nintendo's fault. Every known entrypoint (which grants full system access) is the result of a flaw originating with Nvidia. | The console's current version of its operating system does not seem to contain noteworthy bugs that can lead to homebrew or custom firmware. Previous versions of Horizon were vulnerable to a limited number of flaws, none of which enabled [[TrustZone]] access purely due to security issues from Nintendo's fault. Every known entrypoint (which grants full system access) is the result of a flaw originating with Nvidia. | ||
34C3 | [https://www.youtube.com/watch?v=Ec4NgWRE8ik 34C3] | ||
== Trivia == | == Trivia == | ||
* Nintendo Switch's BPMP is the ARM7TDMI, also known as the processor that powered the Game Boy Advance and Nintendo DS family. | * Nintendo Switch's BPMP is the ARM7TDMI, also known as the processor that powered the Game Boy Advance and the hardware mapper of the Nintendo DS family. | ||
* The Nintendo Switch name was finalised in 2014, two years before the console's name was revealed in October 2016. | * The Nintendo Switch name was finalised in 2014, two years before the console's name was revealed in October 2016. | ||
* Nintendo was aware of the ramifications and the existence of an RCM-based exploit well before the console released in 2017, however, it's unclear which RCM-based exploit that they are referencing. | * Nintendo was aware of the ramifications and the existence of an RCM-based exploit well before the console released in 2017, however, it's unclear which RCM-based exploit that they are referencing. | ||
| Line 84: | Line 84: | ||
=== Software === | === Software === | ||
* Nintendo Switch does not boot past Nintendo Switch logo! One of these things are likely busted: PRODINFO, your USER partition, your SYSTEM partition, your partition table is messed up. If you run atmosphere, a rogue sysmodule or corrupt microSD may also be to blame. | * Nintendo Switch does not boot past Nintendo Switch logo! One of these things are likely busted: PRODINFO, your USER partition, your SYSTEM partition, your partition table is messed up. If you run atmosphere, a rogue sysmodule or corrupt microSD may also be to blame. | ||
* Nintendo Switch does not boot past Nintendo logo! You may have corrupted one of the boot stage slots. Restore a BCPKG2 backup. | * Nintendo Switch does not boot past Nintendo logo! You may have corrupted one of the boot stage slots. Restore a BCPKG2 backup. | ||
*After injecting a payload and booting, an error about an unknown package1 version appears! Your homebrew software does not support the Horizon firmware you are trying to run. Update your homebrew, or wait for a new release. | |||
*My homebrew software has a NOFAT error message! Your microSD is corrupt. Reformat it, or obtain a new card. | |||
=== Hardware === | === Hardware === | ||
Revision as of 07:31, 13 March 2022
Hardware
Powered primarily by its Tegra X1 line of SoCs (system on a chip processors), the Nintendo Switch is a midrange gaming tablet and was, at the time of release, the most powerful handheld to date released by a dedicated gaming company.
Tegra X1
While there are three major revisions to the Tegra X1, there are no performance differences employed by Nintendo in practice. As the Tegra X1+ uses a smaller process node (20nm to 16nm), it is, by proxy, more energy efficient, leading to cooler thermals and longer battery life. Nintendo has dubbed consoles using the Tegra X1+ as HAC-001(+01) units.
Erista (T210)
This is the only model of the Tegra X1 vulnerable to CVE-2018-6242 (known as fusee-gelee or ShofEL2).
The Tegra T210 is the original model of the processor, released in 2015 by Nvidia and used in the original 2017 model of the Nintendo Switch. This SoC is codenamed Erista, and has drastically higher power draw compared to the Tegra T214.
In mid-2019, Nintendo began shipping units with a modified bootrom IRAM patch (ipatch) written at the factory, effectively mitigating CVE-2018-6242, and largely patching out the main community entrypoint for custom firmware access. These, alongside Mariko units, are commonly referred to as "patched units".
The CPU uses four ARMv8 ARM Cortex-A57 cores clocked at 1GHz in Horizon (docked or handheld), but officially supports clock speeds up to 1.9GHz.
The GPU scales from 384MHz in handheld mode to 768MHz in docked mode, but officially supports speeds up to 921MHz.
Mariko (T214)
This revision was introduced starting in August 2019 with the HAC-001(-01) and Nintendo Switch Lite (HDH-001). Regardless of model, every Switch console manufactured after mid-2019 is a Mariko unit.
It uses nearly half of the wattage as the original console to run its software, thereby producing less heat and providing a longer battery life as a result.
Also known as the T210B01 revision, the T214 is capable of hitting higher clock frequencies without thermal throttling, and therefore can effectively serve as a more powerful SoC, if Nintendo ever chose to go this route. The homebrew community has managed to overclock the CPU of Mariko chips up to 2397MHz, and the GPU to 1305MHz.
The bootROM has undergone a full rewrite, so CVE-2018-6242 is no longer present in any capacity and cannot be reintroduced in any form. By definition, these are also patched units, but the community often explicitly refers to them as Mariko units to differentiate from patched Erista units.
Horizon
Horizon (hereby referred to as HOS or HorizonNX) is a heavy rewrite and reimagining of the Nintendo 3DS operating system of the same name. Synonymous system calls and design concepts are present and, given the timeframe the OS was developed in (early 2015 to early 2017), explains the method Nintendo used to push out a fully-functional OS this quickly.
Custom firmwares
Atmosphère
Atmosphère is the main custom firmware for Nintendo Switch, developed primarily by SciresM of the ReSwitched team. The name is a allusion; Atmosphère runs on top of Horizon, referencing how the atmosphere rests on top of the horizon.
ReiNX
A deprecated fork of Atmosphère , ReiNX generally does not offer exclusive features over Atmosphère itself, and has not been updated since May of 2020.
SXOS
A commercial fork of Atmosphère, SXOS is primarily developed for game piracy groups on the Nintendo Switch.
SX OS software and its modchips (which is bundled with SX OS) are illegal to manufacture, purchase, or own in the US due to multiple violations of copyright law, specifically due to hardcoding Nintendo's firmware decryption keys in their software (in an attempt to avoid showing Atmosphère branding during sept, and also due to failure to release source code, in violation of Atmosphère's GPLv2 license, which requires derivative works to disclose its full source code to the public.
Like ReiNX, SX OS has not been updated in years after a successful litigation attempt by Nintendo and the FBI, where the team was labelled as a piracy group.
Exploits
Several writeups and conferences have been created in regard to the Switch console's reverse-engineering efforts.
Hardware
Hardware exploits exist either due to physical exploits with the console components, or within software burned into read-only/write-once portions of the console; e.g, the bootROM. Hardware exploits can never be patched out without physical access to the console (and by replacing said console's hardware).
Fusee Gelee
"Fusee gelee" translates to "frozen rocket" from French, referencing the coldboot nature of the exploit.
This is an unpatchable, tethered bootROM exploit, which takes advantage of the Switch console's boot and power management chip (BPMP), and is leveraged by copying a payload into executable portion of memory (jokingly referred to as a memecpy by members involved in its development).
Approximately thirty to forty million consoles are vulnerable to this. These consoles will become a rarity as time passes on.
This exploit requires physical access to the console's USB-C port, injecting a custom payload after entering a compromised recovery mode (RCM). RCM is a factory mode intended for maintenance and repair of damaged consoles, or initial factory setup of devices. Fusee gelee effectively bypasses verification for signed payloads and allows an attacker to bypass every single technological protection measure present on the console at boottime with minimal external hardware.
Technical writeup presented to Nvidia (PDF)
Nintendo Homebrew's custom firmware guide for Atmosphère
Jamais Vu
Jamais Vu translates to "never seen".
Software
General
The console's current version of its operating system does not seem to contain noteworthy bugs that can lead to homebrew or custom firmware. Previous versions of Horizon were vulnerable to a limited number of flaws, none of which enabled TrustZone access purely due to security issues from Nintendo's fault. Every known entrypoint (which grants full system access) is the result of a flaw originating with Nvidia.
Trivia
- Nintendo Switch's BPMP is the ARM7TDMI, also known as the processor that powered the Game Boy Advance and the hardware mapper of the Nintendo DS family.
- The Nintendo Switch name was finalised in 2014, two years before the console's name was revealed in October 2016.
- Nintendo was aware of the ramifications and the existence of an RCM-based exploit well before the console released in 2017, however, it's unclear which RCM-based exploit that they are referencing.
- The Nintendo Switch OS is a major rewrite of the Nintendo 3DS operating system of the same name.
Troubleshooting
Software
- Nintendo Switch does not boot past Nintendo Switch logo! One of these things are likely busted: PRODINFO, your USER partition, your SYSTEM partition, your partition table is messed up. If you run atmosphere, a rogue sysmodule or corrupt microSD may also be to blame.
- Nintendo Switch does not boot past Nintendo logo! You may have corrupted one of the boot stage slots. Restore a BCPKG2 backup.
- After injecting a payload and booting, an error about an unknown package1 version appears! Your homebrew software does not support the Horizon firmware you are trying to run. Update your homebrew, or wait for a new release.
- My homebrew software has a NOFAT error message! Your microSD is corrupt. Reformat it, or obtain a new card.
Hardware
- Nintendo Switch does not boot past Nintendo Switch logo, does not display on the dock, or does not charge! It is highly likely that the M92T36 chip has been blown out by overvoltage, or a physical short. Common causes are using an uncertified USB-A to USB-C cable to charge the unit, or using a third party dock. Third party AC adapters which don't utilise USB also can cause this. Your Switch will likely need to have the M92T36 replaced.
- Screen shows ink-like blotches that obstruct gameplay! Replace the screen. Duh.
- Nintendo Switch emits a grinding or sawing noise when pressed together! This is the fan scraping against the console's metal backplate. Please do not press the console together.
- Nintendo Switch turns off abruptly, even with remaining battery! The battery may be decalibrated. This can happen to any device with a battery. This occurs when the battery percentage is not synchronised with the physical amount of remaining power. This can be solved by charging the device for double the amount of time it normally takes to reach 100%, and draining it down to zero before fully charging it again. The battery is now calibrated.
- Nintendo Switch does not turn on! Is the unit in RCM? Is the unit fully charged? Have you a modchip installed? If so, check the FAQ of the RCMX86 install guide.
- Nintendo Switch does not enter RCM! All consoles can enter RCM, regardless of whether or not you're able to exploit RCM itself. If the console cannot enter RCM, it is never the fault of software. Instead, a dirty or defective bridging device ("jig"), a dirty or defective console-side slot, or torn ribbon cables will always be the culprit, if the user is following the correct steps to enter RCM (VOL+, Power, Home).